Re: [PATCH] usb: host: max3421: Fix shift-out-of-bounds in max3421_hub_control()
From: Seungjin Bae
Date: Sun May 17 2026 - 14:20:08 EST
2026년 5월 17일 (일) 오전 1:49, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>님이 작성:
>
> On Sat, May 16, 2026 at 08:01:46PM -0400, pip-izony wrote:
> > From: Seungjin Bae <eeodqql09@xxxxxxxxx>
> >
> > So if a malicious userspace task with access to the root hub via
> > /dev/bus/usb/.../001 issues a USBDEVFS_CONTROL ioctl with `wValue`
> > greater than or equal to 32, the left shift operation invokes
> > shift-out-of-bounds undefined behavior. This results in arbitrary
> > bit corruption of `port_status`, including the normally-immutable
> > change bits, which can bypass internal state checks and confuse the
> > hub status.
> >
> > Fix this by rejecting requests whose `value` exceeds the shift width
> > before performing the shift.
> >
> > Fixes: 2d53139f3162 ("Add support for using a MAX3421E chip as a host driver.")
> > Signed-off-by: Seungjin Bae <eeodqql09@xxxxxxxxx>
> > ---
> > drivers/usb/host/max3421-hcd.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/drivers/usb/host/max3421-hcd.c b/drivers/usb/host/max3421-hcd.c
> > index 0e17c988d36a..3d6b351dcb1a 100644
> > --- a/drivers/usb/host/max3421-hcd.c
> > +++ b/drivers/usb/host/max3421-hcd.c
> > @@ -1694,6 +1694,8 @@ max3421_hub_control(struct usb_hcd *hcd, u16 type_req, u16 value, u16 index,
> > !pdata->vbus_active_level);
> > fallthrough;
> > default:
> > + if (value >= 32)
> > + goto error;
>
> Cool, what tool found this? I've been running some static checkers and
> I don't think it turned this one up yet.
>
> thanks,
>
> greg k-h
Thanks for your interest!
It's a KLEE-based symbolic execution tool I've been developing for
kernel drivers. It's still a work in progress, but I'd be happy to
share more details and the tool itself once it's in better shape.
Seungjin Bae